Hi, I'm joepie91, also known as Sven Slootweg. I do stuff on the internet.

This is how you can contact me:

Consider my old (pre-2014) GPG key to be compromised. I will publish a new GPG key Soon™.

Perhaps you're concerned that I'm a hacker, or you just want to learn more about me? Or maybe you're interested in knowing more about the police raid that was carried out on me?

Found a security vulnerability in any of my code? E-mail me at security@cryto.net. A 48 hour response time is guaranteed. A 48 hour patch timeframe is guaranteed where physically possible for me to do so (nearly all cases). I take security seriously.

I am currently offering Node.js code review and tutoring services, at affordable rates. More details can be found here.

Some things that you may know me from:

Some public speaking(-ish) I've done:

Some useful things:

Primarily, I'm that guy back in high school that you never noticed, who decided to get shit done. I'm not special, I'm not worth any more than any other human being, and I do not have any unique talents that others do not possess. The only reason I can make this list, is because I choose to just. get. things. done. Consider doing the same, in your personal field of interest or talent. Especially if it's for a good cause.

Some other projects I've worked on or am still working on:

Whenever you see anything I make, be it code, writings, or anything else creative - assume you can reuse, remix, share, copy, pirate, redistribute, and whatever-the-hell-you-want-to it under the WTFPL, unless indicated otherwise.

RIP Aaron Swartz. Don't let his work be in vain.

If you like my work, you can donate here to support me :)


Because I really do need a place to keep track of ideas I have. As usual, feel free to implement, remix, reuse, or otherwise repurpose.

Web-based keypair authentication

UPDATE: Looks like this has been implememented, more or less, in the form of SQRL. Kind of.

$user installs a simple application locally, let's call it "gpgme". When $user visits a $site and wishes to login, he clicks a "login via keypair" link, which is actually a URI in the format of gpgme://site.com/$sessionid. As gpgme:// is a registered URI handler for the gpgme application, that application is launched and either immediately authenticates with the daemon running on site.com, or for example shows the user a choice of account for multiple identity management. As the daemon on site.com determines "ah, this key is this $user", it authenticates the session with the specified session ID as $user.

Note that up to the point where the gpgme application sends the authentication data to the daemon, the server is *not* aware of the identity of whoever is trying to log in. It simply assigns whatever identity authenticates itself, to the current session, without any expectations as to who this identity is going to be.

When written in something like Python, this would be an easy way to implement this in a cross-platform and cross-browser manner. As virtually all browsers support custom registered URI handlers, there is no need for a browser extension (although it may be interesting to develop one to provide additional features such as a "preview" of who you are going to log in with).

The server-side daemon can either be a stand-alone daemon or a simple script handling the keypair authentication, running via the already existing HTTPd. This would allow for it to work, even on shared hosting systems.